Security against individual attacks for realistic quantum key distribution 

Norbert Liitkenhaus 
Helsinki Institute of Physics, PL 9, FIN-00014 Helsingin yliopisto, Finland 

(February 1, 2008) 



O 
O 
O 

(N 

X> 

<D 

IX, 

(N 

(N 
> 

m . 

ov 
O' 

o: 

OV 

Oh! 

-<— > ' 

d ' 



X 



I prove the security of quantum key distribution against 
individual attacks for realistic signals sources, including weak 
coherent pulses and downconversion sources. The proof ap- 
plies to the BB84 protocol with the standard detection scheme 
(no strong reference pulse). I obtain a formula for the secure 
bit rate per time slot of an experimental setup which can be 
used to optimize the performance of existing schemes for the 
considered scenario. 
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I. INTRODUCTION 

The first complete protocol for quantum key distribu- 
tion (qkd) has been introduced by Bennett and Bras- 
sard in 1984 M following earlier ideas by Wiesner M. 
Since then, this protocol (BB84 for short) has been im- 
plemented by several groups P E3[. For an overview 
containing more details about the background, the ex- 
perimental implementation and the classical evaluation 
procedure see for example Jjjlj [jj|- 

The basic idea of the BB84 protocol is to use a random 
string of signal states which, for example, can be realized 
as single photons in horizontal, vertical, right circular, 
or left circular polarization states. These are two set of 
states which are orthogonal within each set, and have 
overlap probability 1/2 between the sets. If the receiver 
chooses at random between a polarization analyzer for 
linear polarization and one for circular polarization, then 
they obtain in this way a raw key |17|| . From this they 
distill the sifted key by publicly exchanging information 
about the polarization basis of the signals and the mea- 
surement apparatus. They keep only those bits where 
the basis is the same for the signal and the measurement, 
since those signals give a deterministic relation between 
signal and measurement outcome. 

The practical implementations deviate from the theo- 
retical abstraction used in the original proposal in two 
important points. The first is that the signal states do 
not have the correct overlap probabilities. Especially 
in the photonic realization, the signals contain contribu- 
tions from higher photon numbers and from the vacuum 
state which cause this deviation. The second point is that 
the quantum channel in these implementations (optical 
fibers) shows a considerable loss. It has been shown ear- 
lier pqJiy] that the combination of the two effects open 
up a security gap. The extent of this security gap has 
been extensively illuminated for different signal sources 
in (20| giving necessary conditions on the feasibility of 



qkd without restriction to any particular class of eaves- 
dropping attacks. From these results one can conclude 
that most current experiments are performed in a param- 
eter regime where the necessary conditions for security 
are violated. 

In the present work I will complement these results by 
a positive proof of security for a scenario where the power 
of the eavesdropper is restricted to attacking signals sep- 
arately (individual attack). This restriction allows us to 
prove the security for a realistic protocol, i. e. one where 
all components are known and work efficiently. 

It is necessary to distinguish this work from earlier 
work by other groups. Lo and Chau [|l[ gave a proof 
of principle for the security of quantum key distribution. 
At present, it is not possible to use their proof to im- 
plement secure QKD since the procedure involves devices 
to manipulate qubits coherently in order to allow fault- 
tolerant computing. The approach of Mayers [p2J is cer- 
tainly the most advanced result towards practical qkd 
which is provably secure against all eavesdropping at- 
tacks on the signals. However, the proof assumes ideal 
single photon signals, and, at present, we do not have an 
extension of that proof which can cope with realistic sig- 
nal sources and effective error correction codes, although 
work in these directions is in progress. 

The restriction to eavesdropping on individual signals 
allows a much simpler analysis of a realistic scenario, and 
it is therefore advisable to use this scenario as a study 
for the generalization in the sense of Mayer's proof. Fur- 
thermore, the results are interesting in their own right: 
it seems to be impossible to perform collective measure- 
ments on the signals with today's technology. Therefore, 
qkd secure against individual attack will today create 
keys which are secure against future developments in co- 
herent eavesdropping strategies, since tomorrows tech- 
nology cannot be used for todays eavesdropping strat- 
egy. This is in contrast to the implication of an increase 
of future computation power or improvements in algo- 
rithms which threatens todays use of classical encryption 
schemes. 

In this paper I will derive a formula for the gain of 
secure bits per signal sent, that is per time slot of the 
experiment. These formulas are presented only in the 
limit of long keys, so that the influence of the necessary 
authentication of the key and all statistical influences 
regarding the number of errors etc. can be neglected. It 
is necessary to embed these results into a full protocol, 
derived, for example, in [|10|,g3 24 to which I refer the 
reader for further details. 

This paper is organized as follows. In Sec. O I will in- 



troduce the essential elements of practical quantum cryp- 
tography and report the relevant findings for single pho- 
ton signals. These results are then extended in Sec. Ill to 
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signal sources which generate the signal states by rotat- 
ing a state in one polarization to that of the ideal BB84 
polarizations. In Sec. [V, the resulting gain formula is ex- 
plored for two choices for the signal source, namely weak 
coherent pulses (wcp) and parametric downconversion 
(pdc). The results are discussed in Sec. M. 



II. SECURITY AGAINST INDIVIDUAL 
ATTACKS FOR SINGLE PHOTON SOURCES 

To investigate the security of QKD one needs to inves- 
tigate the trade-off between the information gathered by 
the eavesdropper and the amount of disturbance caused 
thereby. The trade-off between the Shannon mutual in- 
formation and the bit error rate in the sifted key has 
been investigated by several author for restricted attacks 
[0,E5[ and for the general individual attack p6|. The 
results show that the gathered Shannon information for 
the typically observed error rate of about 1-5% is too 
high to allow the sifted key to be used directly for cryp- 
tographic purposes. However, we can first correct the 
errors and then ap ply the technique of generalized pri- 
vacy amplification 27 to distill from the sifted key a 
new shorter key, which fulfills the security requirements. 
These techniques are purely classical. Both steps, the er- 
ror correction and the privacy amplification, will reduce 
the number of gained secure bits. 



where e is the observed error rate in the sifted key. In 
this limit the probability that the errors can be corrected 
can come arbitrarily close to unity. However, Shannon's 
proof of the existence of error correction codes reaching 
this limit is not constructive, and the limit is obtained 
only by large codes. These are not easily implemented be- 
cause of the required computational resources. We have 
therefore to search for error correction tools which come 
close to this limit. As discussed in |23], it is hard even to 
approach the Shannon limit with error correction codes 
which use uni-directional classical communication only. 
Fortunately, a more efficient bi-directional code exists 
pij| , which uses f[e] N^^ nnon bits for error correction 
with a correction factor f[e] listed in table |. 

TABLE I. Example of the performance of the 

bi-directional error reconciliation protocol by Brassard and 
Salvail [Bl|. The values are taken from that paper. Here e 
is the observed error rate, while f[e] is the ratio of actually 
needed redundant bits to the corresponding number of the 
Shannon limit. (I used the upper bounds for 1(4) provided in 
the reference.) 

e m 



0.01 
0.05 
0.1 
0.15 



1.16 
1.16 
1.22 
1.35 



A. Error correction 

Error correction is performed by the exchange of re- 
dundant information about the key, e.g. in form of par- 
ity bits, via the public channel. Since Eve has access 
to the public channel, we have to take care of this flow 
of side-information. This can be done by using a short 
initial shared secret key to encrypt the parity bits in a 
one-time pad method. Note that in practice we cannot 
realize any public channel which is safe against tamper- 
ing by Eve by technology alone. Therefore, sender and 
receiver need to share a secret key anyway to overcome 
this problem by the classical method of authentication 
p8|,p9f. As a consequence of this method of control of 
the side-information, we need to know how many bits 
need to be encrypted, which is equivalent to the number 
of exchanged parity bits. 

It is clear, that one has to be careful to implement an 
efficient error correction protocol, since we have to regain 
at least the number of secret bits used for the encryption 
of the parity bits. The ratio between minimum number 
of redundant bits A^ 1 ^ 1111011 needed to correct a key of 
length n is given according to Shannon j30[ by 



B. Generalized privacy amplification 

In this section I report on the fraction t\ of bits by 
which we need to shorten the sifted key so that we ob- 
tain a secure key. The aim of QKD is to obtain a secure 
key in the sense that Eve has no information on that key. 
This can be made precise by two properties: 1) a key 
x of length nfi na i should have equal a priori probability 
p(x) = 2~™ tinal and 2) the difference between the a priori 
and a posteriori probability, as measured by the Shannon 
information, should vanish. These two properties can be 
summarized in the demand that the expected Shannon 
entropy H[(p(x\M)) m] of the a posteriori probability dis- 
tribution (p(x\M))m, after Eve's gathering of measure- 
ment results and classical communication M , should ap- 
proach nfinai. (Here (. . .)m denotes the expectation value 
with respect to the measurement outcome M .) General- 
ized privacy amplification [B7J achieves that by hashing 
the corrected sifted key into a shorter key by hash func- 
tions |28|,g9| such that we obtain the bound |27J (see |23J ] 
for the extension to the expectation values with respect 
to M) 



H[(p(x\M)) M ] >n flnal -log 



'(p c [p(x|M)]) M + l) 
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Here p c [p(x\M)] is a measure of the a posteriori proba- 
bility on the corrected sifted key x of length n s ;f. This 
measure is the collision probability, defined as 



p c \p(x\M)]=J2p 2 (x\M). 



(3) 



If we choose the length of the final key to be 

"final = risif(l -ri) -n s , (4) 

the estimate becomes, after a further simplifying estima- 
tion & 
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with 
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(5) 



(6) 



Clearly, we can approximate an ideal secret key arbitrar- 
ily close by the choice of the security parameter ns . For 
long keys, only the shortening fraction t\ needs to be 
taken account of. 

The above formulas show that an upper bound on the 
expected collision probability leads to a lower bound on 
the Shannon information. Such bounds have been pro- 
vided for the BB84 protocol in [p3| , p4p^ 1 for various sce- 
narios. We concentrate here on the case that the errors 
in the sifted key are corrected (as opposed to discard- 
ing the corresponding bits) using the bi-directional error 
correction procedures. We define the collision probabil- 
ity Pc (e), as a function of the error rate e in the sifted 
key, for a single bit of the corrected sifted key implicitly 



by (p \p(jS\M)]) M = (pP[e]) '" 



and find the bound fl2J 



p«(e) < 



2e - 2e 2 for e < 1/2 
for 1/2 < e 



which gives, finally, 



ri (e) < 



log 2 
1 



1 + 4e - 4e J 



for e < 1/2 
for 1/2 < e 



(7) 



(8) 



The estimate is valid for uni-directional protocols as well 
since the additional information flow to Eve during bi- 
directional error correction takes, apparently, the form 
of a spoiling information in the sense of |27| . As pointed 
out in J23J, we have to be careful in dealing with am- 
biguous detections, for example clicks in both detectors 
monitoring orthogonal polarizations. A way to deal with 
that is to randomly assign a bit value to those events. 
Discarding those events would open a loophole for the 
eavesdropper. 



C. Gain formula for single photon signals 

We can summarize the effects of error correction and 
privacy amplification by a gain formula for the limit of 
long keys. It is given by 



G s 



(9) 



2Pexp{l 



ri + f[e] (e log 2 e + (1 - e) log 2 (l - e))} 



Bob's detector is triggered with probability p cxpi taking 
into account channel losses and imperfect detection effi- 
ciencies, and in half of the cases the signal is entered into 
the sifted key. From the length of the sifted key we have 
to deduct the cost of error correction and of privacy am- 
plification. The resulting rate for a lossless transmission, 
Pcxp = 1, and ideal error correction, / [e] = 1, is shown in 
figure H. From there it becomes clear that the maximal 
tolerated error rate for this approach is around 11%. 
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FIG. 1. Gain of secure bits per time slot as a function of 
the observed error rate e for an ideal channel for single-photon 
signals and ideal error correction. 



III. EXTENSION TO MULTI-PHOTON SOURCES 
WITH IDEAL POLARIZATIONS 

To generalize the results of the previous section to real- 
istic signal sources we first need to consider which signals 
states we can generate. We find that the typical sources 
show a simple structure which allows us to describe the 
optimal eavesdropping strategy. As a consequence, we 
can bound Eve's collision probability using the results 
derived for single photon signals. 



A. Realistic signal sources 

The signal sources described here generate the signal 
from some state in one polarization mode by changing its 
polarization to one of the four BB84 polarization modes. 



Typically, there will be no fixed relation between the 
optical phase of subsequent signals. As a result, Eve 
"sees" the phase averaged form of the signals [g0[ which 
take the form of a mixture of Fock states in the chosen 
polarization mode. (The off-diagonal terms average out 
to zero.) This observation, in fact, simplifies the analysis 
of security. 

It should be noted that even if the source should bear 
some phase relation between subsequent pulses, this re- 
lation can be destroyed by including a phase randomizer 
which selects at random an optical phase for each sig- 
nal. This is needed, for example, for the "plug and play 
scheme" by the Geneva group || . Note that the so-called 
phase encoding || is basically equivalent to the the po- 
larization encoding. This is so because the four BB84 
polarizations can be expressed, mathematically, as a rel- 
ative phase between two modes. Phase encoding uses the 
relative phase between two spatially separated modes (in 
the same fiber and the same polarization mode). They 
arc therefore equivalent. However, in some implementa- 
tions one of the spatial mode pulses has a bigger ampli- 
tude to implement some kind of strong reference pulse 
for an interference in Bob's detector, as proposed in the 
two state protocol Q and the "4+2" protocol @. The 
security analysis presented here does not apply to these 
set-ups. 



B. Estimation of the collision probability 

We have seen above that for the signal sources inves- 
tigated here, the signals are mixtures of Fock states in 
the chosen polarization mode. It turns out that Eve can 
split the photon number of each signal containing two 
or more photons by extracting one or more photons out 
of the signal such that both parts retain their original 
polarization. (See appendix EL) This can be achieved 
by interactions of the Jaynes-Cummings type which are 
preceded by a quantum non-demolition measurement of 
the total photon number of the signal. This stands not in 
contrast to the statement of Yuen [|19[ that it is not pos- 
sible to extract a photon from an arbitrary state, since 
here we are talking only about states with known total 
photon number, and where all photons are in a single, 
though unknown, mode. On the other hand, it is unclear 
what it would mean for other states to extract a photon 
such that the extracted photon and the remaining states 
have an unaltered polarization. Eve can perform a mea- 
surement on her photons after receiving the information 
about the polarization basis of the signals, and she there- 
fore will know the bit- value of these signals. On the other 
hand, she does not cause any errors on Bob's side, since 
the photons arrive there with the original polarization. 

We can summarize this in the statement that the colli- 
sion probability on each bit in the sifted key which stems 
from a multi-photon signal is equal to 1, and all errors in 
the sifted key are due to eavesdropping on single photon 



signals contribution to the sifted key. 

The collision probability for the sifted key factorizes 
into the product of collision probabilities for each bit. 
If we know an upper bound on the number m of multi- 
photon signals contributing to the sifted key, then we 
can estimate the collision probability on the sifted key of 
length n s ;f by the single bit collision probabilities for sin- 
gle photon signals p c and that for multi-photon signals 
p c — 1 as 



Pc<( Pc m} ) (p c 1] ) =(p c 1) ) 



(10) 



The value of the error rate at which p c from Eq. ffl is 
evaluated, has to be rescaled since all errors are assumed 
to stem from eavesdropping on the single-photon signals. 
We therefore find 
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(11) 



which gives the fraction of the key which has to be dis- 
carded during privacy amplification as 
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(e«) = l + 



n-sif - m 



log 2 P, 
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(12) 



The number of multi-photon bits contributing to the 
sifted key can be bounded once we know the source char- 
acteristic in the form of probabilities So, Si, and S m 
for the signal to contain zero, one, or more than one 
photon. Eve will use all multi-photon signals while she 
suppresses partly single-photon signal to obtain the de- 
sired fraction p cxp of signals successfully detected by Bob. 
Therefore the expectation value for the number m of 
signals stemming from multi-photon signals is given by 
(m) = S m ntot, where n to t is the total number of signals 
sent by Alice. We can use a theorem by Hoeffding [Q to 
relate the expected number of multi-photon signals (to) 
to the actually created number of such signals m for a 
key of length n s if with some probability. The statement 
is that the inequality 



| (to) —m\<8 n t ot 



(13) 



for some chosen value of 8 holds with a probability P > 
1 — exp (— 2ntot8 2 ) ■ This means, that we can choose m = 
(to) since we deal in this article only with the limit of 
large keys. For experimental realizations, however, one 
has to keep an eye on the choice of 8 which might be 
rather small. Then n to t has to be quite large to obtain a 
reasonable value for P. More discussion concerning the 
statistical issue can be found in [E3|. 



C. Gain formula for realistic signal sources 

The gain formula for the considered signal sources is 
now given by 



2 I n sif 



(14) 
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+ /[e][elog 2 e + (l-e)log 2 (l-e)] 



Here I included a factor p post as the post-selection prob- 
ability of the signal. We need this for a consistent pre- 
sentation of the results using parametric downconversion, 
since there Alice performs a post-selection for each time 
slot. The quantities p cxp , n tot , and So, Si, and S m re- 
fer always to the post-selected signals to emphasise the 
view that post-selection is the state preparation. All 
parameters needed to evaluate this expression are actu- 
ally observables of the experiment. The value of n s a is 
agreed between Alice and Bob, the value of ritot becomes 
known to them during the key generation and leads to 
Pcxp = 2ML - The value of e are directly observed. The 
value of S m is indirectly measurable in Alice's labora- 
tory and leads to (m) = S m ntot- We can reformulate the 
expression for the gain as 
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(15) 
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so that it is expressed entirely in measurable quantities. 
In this form we can use it to estimate the gain for a run- 
ning experiment without having to implement the classi- 
cal procedures of error correction and privacy amplifica- 
tion. 



IV. SIMULATION FOR EXPERIMENTS 

To simulate the gain we can obtain from an exper- 
imental set-up, we need to model the photon number 
distribution of the source in more detail. Here we need 
more than the three probabilities So, Si, and S m since 
the probability p eX p depends on the photon number dis- 
tribution within the multi-photon signals as well. Fur- 
thermore, we need to model the expected error rate of 
the experiment. 

In my calculation I take account of the photon num- 
ber distribution of the signal source and the losses in the 
quantum channel. Bob's detection unit varies in different 
set-ups by the number of detectors etc. The parameters 
entering the calculation here arc the single-photon detec- 
tion efficiency rjB and the dark count rate c?b , both given 
for the whole detection unit. The dark count rate is mea- 
sured as dark count detections per time slot, i.e. gating 
window. 



A. General formulas 

The probability p exp that Bob detects a signal has two 
sources, one coming from the detection of signal photons 
Pexp ) the other from the dark counts of the detectors 
Pexp k - The combination gives 



Pc 



signal 
Pcxp 



dark 



- p c 



signal dark 
"cxp -Kexp 



(16) 



where I assume that the dark counts are independent 
of the signal photon detection. Let Si be the probability 
that the source sends i photons, then the probability that 
Bob's detector is triggered by a signal photon is given as a 
function of the detection efficiency rjB and a transmission 
efficiency of the channel tjt by 



p; 



signal 



i=\ 
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(17) 



The dark count distribution is simply given by 

- da l k = d B . (18) 



Pc 



The error rate stems, again, from two sources. The first 
is an error rate for the detected signal photons, which is 
due to alignment errors or fringe visibility. The proba- 
bility of an error per time slot due to this mechanism is 
modeled by p^l™ = c Pcip al with a constant c. The dark 
count contribution to the same error probability is given 
by Pali™ = 2^ B smce a dark count will result at random 
in one of the two measurement results for Bob, so that in 
half of the cases an error is created. Then the error rate 
in the sifted key is modeled by 



signal 
^ -Pcxp 



Pcxp 



(19) 



in a regime where coincidences between dark counts and 
real counts can be neglected. For optical fibers, the losses 
in the quantum channel can be derived from the loss 
coefficient a measured in dB/km, the length of the fiber 
I in km and the loss in Bob's detection unit L c in dB as 



ry T = 10" 



(20) 



Typical values for the fibre loss a in the three telecom- 
munication windows at 0.8/im, 1.3/im, and 1.5/xm are 2.5 
dB/km, 0.35 dB/km, and 0.2 dB/km respectively. 



B. Weak coherent pulses 

In most experiments for QKD the signal source is a 
strongly attenuated laser pulse. The sources uses in typ- 
ically experiments, e.g. laser diodes, emit pulses which 
optical phases are set at random by the initiating spon- 
taneous emission. Therefore these sources fall into the 
category for which our arguments apply. 



The photon number is Poisson distributed with Si = 
exp(— fi)fi l /i\ and mean photon number (/,. Therefore we 
obtain 



WCP 



S m = 1 - (1 + fi) exp(-/i) 



P, 



signal 

exp 



= 1 - cxp(-r; B ?7TM) 



(21) 

(22) 



which allow us together with the Eq. ( |15| - |2C| ) and a post- 
selection probability p pos t = 1 to calculate the expected 
gain per time slot of an experiment with weak coherent 
pulses. 

We evaluate the resulting gain rate using parameter 
sets taken from the literature. (See table II.) When we 
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TABLE II. Parameters for quantum key distribution ex 
periments taken from the literature. 



BT8 
BT13 
G13 
KTH 15 



BT 8 BT 13 



wavelength [nm] 
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1300 




1300 15 


channel loss [dB/km] 


a 


2.5 


0.38 




0.32 C 


receiver loss [dB] 


Lc 
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5 




3.2 


signal error rate [%] 


e 
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0.8 




0.14 


dark counts [per slot] 


d B 


5 x 10" 8 


10 -5 


8.2 


x 10 -5 2 x 10 


detection efficiency [%] 


m 


50 


11 
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^^^^= distance [km] 

G 13 KTH 15 FIG. 2. Weak coherent pulses: The rate of secure key 
J8| [hll bits per time slot for realistic parameters described in the 

literature. (See table II). The rate needs to be multiplied 



0.2 



18 



with the repetition rate of the apparatus to obtain the true 
rate per second. Note that the main effect for the shown 
experiments is the different absorption rate of that fiber at 
the respective wavelength. Furthermore, these experiments 
were not optimized with respect to the gain presented here. 



keep all parameters fixed and vary the expected photon 
number of the signal, we obtain a gain curve with a clear 
maximum. Furthermore, if the the photon number is 
too low, we cannot obtain a positive gain because of the 
dark count rate of Bob's detector. On the other hand, 
for large photon numbers we cannot obtain a positive 
gain because of the high multi-photon probability for the 
signals. We concentrate on the optimal choice of the 
expected photon number which yields the maximal gain 
rate. Now we can vary the length of the transmission line. 
The resulting graphs are shown in figure ||. We see that 
the gain rate drops roughly exponentially with the length 
of the transmission before it starts to drop faster due to 
the increasing influence of the dark counts. The initial 
behavior is mainly due to the multi-photon component 
of the signals while the influence of the error-correction 
part is small. In this regime we can bound the gain by 
the approximation 
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(26) 



G < - (Pcxp 



Or, 



(23) 



= 2 {( 1 + M) CX P(-M) - cx P (-77b?7tm)} • (24) 

This expression is optimized if we choose /i = /x ptm 
which fulfills 

Vb Vt exp(-?7B?7TMoptm) ~ Moptm exp(-/i optm ) = . (25) 

Since for a realistic setup we expect that ?7b?7t C 1, we 
find /ioptm ~ VbVt- in this approximation we find the 
approximate upper bound 



As the distance increases and the influence of the dark 
counts and the error correction grows, this approximation 
is no longer valid. Instead, we find in the numerical sim- 
ulations that the optimal photon number is even lower. 
Note that in the real experiments much higher photon 
number have been used. Typically, these higher photon 
numbers do not allow secure key distribution over the 
reported distances. 

The approximate situation described above illuminates 
another interesting feature. As noted in [E0[, technical 
limitations on detectors limit the distance over which we 
can perform secure QKD with weak coherent pulses, and 
the presented security proof is in accordance with it. This 
limit can be stretched as the technology improves. How- 
ever, the obtained distance is only one characteristic of 
a setup. Another is the obtained rate. We find that the 
gain rate per time slot is limited already by the use of 
the Poissonian photon number distribution and the loss 
in the optical fiber. 

We can evaluate Eqn. (|2g) for perfect detection de- 
vices and get a bound 1 shown in Fig. in the case of 
the KTH set-up. The gap between bound 1 and the ex- 
act result shows how much room is left for improvements 
of Bob's detection apparatus. The bounds 2 and 3 take 
into account in addition to the fiber loss the loss in Bob's 
detection device and the detection efficiency. We find 
that bound 3 is already a good approximation to the 
exact results, at least for short and medium distances. 
This shows that the multi-photon aspect is for these dis- 
tances the dominating effect compared to the effect of 
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FIG. 3. The optimal rate for the the scenario of JLl) (KTH 
15). Bound 1 describes the optimal possible rate given the use 
of Poissonian photon number distribution and the loss of the 
quantum channel. Bound 2 takes into account additionally 
the given loss in Bob's receiver, while bound 3 even includes 
the detection inefficiency of Bob's detector. Therefore, bound 
3 represents the approximation (|23|). 



error correction and the influence of eavesdropping on 
single-photon signals, which are responsible for the gap 
between bound 3 and the exact curve. In order to com- 
pare the performance of different setups, one would need 
to multiply the gain rate with the signal repetition rate 
of the set-up to obtain the rate of secret bits per second. 
This repetition rate may be vastly different for some ap- 
plications, so that the gain rate shown in Fig.g is only a 
starting point in optimizing the secure bit rate for a spe- 
cific application. However, it shows clearly the variation 
of the performance as the distance varies, including the 
maximal possible distance. 



C. Parametric downconversion for triggering 

The results of the previous section illustrates that the 
coverable distance for QKD is limited. As shown explicitly 
in [p0|, this distance can be increased by the usage of 
other signal sources, especially by the use of parametric 
downconversion. Note, however, that it has been shown 
there that even perfect single photon sources will lead 
to a limited coverable distance due to Bob's dark count 
rate. 

I will discuss here only the use of parametric downcon- 
version (pdc) as a triggering mechanism, although more 
sophisticated techniques using EPR states are possible. 
For that we consider the non-degenerate parametric am- 
plifier described by the parameter x as the product of the 
coupling constant and the interaction time of the process. 
This creates the two-mode state Ml 



|*) = (coshx) 1 y^ (tanh ; 



(27) 



Alice monitors the first mode with a detector described 
by detection efficiency tja and dark count rate cIa- Only 
coincidences between Alice's and Bob's detector will be 
taken into account when forming the sifted key. For a 
low dark count rate and a small parameter \ (note that 
sinh x is the expected photon number in one mode) we 
can neglect coincidences between dark counts and detec- 
tion events and associate Alice's detection event with the 
POM element 



£dick = d A |0)<0| + ]T(1 - (1 - VA) n )\n){n\ 



(28) 



The signal state conditioned on Alice's detection event is 
then given by 
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Ppost 
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with the post-selection probability as normalization fac- 
tor 



Ppost 



d A 



cosh x 

d\ 
cosh 2 x 
1 



+ V(i-(i-, A )») 



n=\ 



tanh n x 
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(30) 



cosh x V 1 — tanh x 1 ~~ (1 ~~ Va) tanh x 

This gives us the photon number distribution of the sig- 
nals which are obtained from this seed state by polar- 
ization rotation. From the photon number distribution 
we can calculate S m by summation and p^S„, via the 
photodetection formula [p5l as, 
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1 — tanh x 



1 



1 



1 - (1 - rnrjB) tanh x 
1 



1 - (1 - tja) tanh \ 



n=0 



1 - (1 - 7?a)(1 - ?7t??b) tanh %. 

As in the case of the WCP scenario, we are now in the 
position to calculate the gain rate of a setup from ex- 
perimental parameters. The simulations use experimen- 
tal values for the transmission line and detectors which 



are the same as in the WCP case. There are two differ- 
ent scenarios: Either the non-degenerate downconversion 
produces photons at the same frequency, or one can use 
downconversion with different frequencies such that the 
frequency of Alice's photon has a wavelength convenient 
for detection, while the other photon's wavelength falls 
into one of the three telecommunication windows for opti- 
mal propagation along the fiber or open air. To illustrate 
the calculation we assumed the situation where one mode 
is adapted to the 800 nm detectors of the British Tele- 
com experiment, while the signal mode is emitted in one 
of the four modes used already for the WCP case. The 
results of this hypothetical experiment is shown in Fig. 0. 
We find an increase of the covered distance against the 
use of the WCP source, but this happens at the expense 
of a lower rate per signal. 
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FIG. 4. Parametric downconversion as triggering device: 
The rate of secure key bits per time slot for realistic pa- 
rameters described in the literature. The triggering mode 
is adapted to the 800 nm detector of the BT experiment. The 
signal mode is adapted to one of the four studied cases. (See 
table II). The rate needs to be multiplied with the repetition 
rate of the apparatus to obtain the true rate per second. 

To understand the decrease of the rate, we can now 
bound the maximal gain per time slot in correspondence 
to the calculation for weak coherent states. It is now 
convenient to introduce the expected photon number /j = 
sinh x- I n f ne optimal case, Alice's triggering detector 
is perfect (77A = 1 and d& — 0), and we neglect the 
negative contribution of privacy amplification and error 
correction. Then we find, again using rj := rjBrjr, 



&m J^post " 



M 



(1 + M) 2 

w 

Poxp — Ppost -. 

1 + 77/z 



(33) 
(34) 



so that we find for the gain 

G < 1 f-JL_ _ iL-\ . (35) 

Now the optimal mean photon number /z op t satisfies 

- 2/j opt - 2?7 2 /iopt + 'K 1 + 3/iopt - Mopt + Mopt) = ° 

(36) 

which leads for small values of 77 to /1 « ^77. In the same 
limit the gain rate is approximated by 



G ~ *T 



(37) 



This bounds the obtainable rate for the case that Bob's 
detectors are perfect, so that r] — > r\T- We find that 
here weak coherent states have a potential gain rate per 
time slot which is twice as big as the one of parametric 
down conversion. The reason is that the photon number 
distribution for pdc sources is basically thermal, which 
shows a higher multi-photon contribution compared to a 
Poisson distribution with the same mean photon num- 
ber. For practical realization, however, a factor of two 
is not that significant, and the gap between gain rate of 
secure bits with imperfect tools is still by orders of magni- 
tude separated from this limit. Therefore the question re- 
mains open, which technology allows a simpler approach 
to higher rates. 

Note that one would need to take into account the loss 
occurring when Alice couples the photon for Bob into a 
fiber. This loss can be easily incorporated in this calcu- 
lations since the resulting photon number distribution of 
the signals can be obtained using the photon count for- 
mulas. Here, however, we do not study this additional 
parameter. The corresponding formulas are given in ap- 
pendix H. 



V. CONCLUSIONS 

In this paper I presented a security proof of quantum 
cryptography which is restricted to individual attacks. 
This proof takes into account the non-ideal signal sources 
and detectors. Moreover, it allows to compare the per- 
formance for different arrangements with respect to the 
overall gain rate. In this sense it can help to decide which 
type of source to use, for example weak coherent pulses 
or downconversion, depending on the available technol- 
ogy and the task fixing, for example, wavelength and 
distance. For existing experiments, it allows to find the 
optimal mean photon number of the source and the op- 
timal working point for Bob's detectors. 

We found that the use of pdc sources with a sim- 
ple triggering mechanism does not increase the overall 
rate of secure bits, but it allows to increase the distance 
which can be covered by experiments. The rate could be 



improved by a more sophisticated detection mechanism, 
where Alice could, at least partly, determine the number 
of pairs produced in a time slot. Even if this mechanism 
does not work perfectly, it would improve the rate and 
distance. 

Our examples show that the use of WCP sources gives, 
typically, higher rates per time slot than the use of PDC 
sources, as long as the distance is not too big. I would 
like to point out again, that in the end the total rate, 
that is the rate per time slot times the repetition rate of 
the set-up, is what counts. It depends therefore on the 
bottle-neck of the set-up which design can be made the 
fastest. 

The problem of non-ideal sources in the presence of 
loss is known since 1995. There have been proposals 
to use strong reference pulses in the two-state protocol 
JL4| and the BB84 protocol pq| , but so far these ideas 
have not been implemented. The reference pulses make 
it more difficult for Eve to block signals, since in those 
schemes Bob measures the interference of the strong ref- 
erence pulse with the weak signal, so that the absence 
of the weak signal will lead to an error in half of the 
cases. I would like to point out, that the security of this 
scheme has not been fully analyzed yet even for individ- 
ual attacks, but this scheme is certainly the hope for the 
future to improve the here analyzed BB84 protocol. 
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APPENDIX A: PHOTON NUMBER SPLITTING 

The photon number splitting idea has been presented 
already in p0| . Here I want to provide more details. To 
perform photon number splitting, Eve performs a quan- 
tum non-demolition measurement on the total photon 
number in both polarization modes. As a result the signal 
is now described by a n-photon state in the unknown and 
undisturbed signal polarization, and the photon number 
n is known to Eve. 

in) 

The task is now to find a unitary transformation C/p NS , 
which depends on the value of n, such that precisely one 
photon from the two signal polarization modes <Zj is trans- 
ferred to two additional polarization modes hi which are 



in Eve's hand. The polarization of either part should be 
equal to the original one. This means we require that the 
two signals of the first polarization basis (+) transform 
as 



c/ P nsK o,o,o). 

ug> 3 \0,n,0,0) + 



= |n-l, 0,1,0)+ 
|0,n-l,0,l)+. 



(Al) 



Here the components of the state vector |...)+ corre- 
spond to the photon number occupation of the modes 
ai, 02,61,62 respectively. The requirement for the two 
signal states of the second polarization basis ( x ) is eas- 
ily formulated if we choose the mode representation de- 
fined by the operators a± = l/v2(ai ± o, 2 ) and b± — 
1/^2(61 ± 62). The state vector | . . .) x now denotes the 
occupation number in the modes a+, a_, 6 + , 6_. We re- 
quire, that 



4^ s |n,0,0,0) x =|n-l,0,l,0) ; 
C7p" ) s |0,n,0,0) x -|0,n-l,0,l) x 



(A2) 



(n) 



Indeed, a transformation C/ PNS with these properties 
can be found j36"| . Eve uses an interaction described by 
a Jaynes-Cummings Hamiltonian 



'jc 



HVA = A(o{cti 



-aia\ 



a 2 a 2 



a 2 a\) 



to connect the signal modes to a three level system with 
one ground state \g) and two upper states |e,) with 
atomic excitation operators a\ (i = 1,2) fl36|. (For a 
review of the Jaynes-Cummings model see p7J.) The 
system is initially prepared in the ground state. Af- 
ter an interaction time t — ^- , which depends on n, 

the first two signal states transform into \n, 0) + \g) — > 
\n— l,0)_|_|ei) and |0,n) + |<?) — > |0,n— l)+|ea). The same 
dynamics involving two additional photonic modes, 61 
and 62, and the Hamiltonian 

H { j^ = \{b\<Ji + ha\ + b\a 2 + b 2 a\) 

transfers (after interaction time t — ^-) the excitation 
to a photon in the original polarization into the modes 
bj . In total we have then achieved the transformations 
( |Al| ) while the three-level system factors out. As shown, 
this mechanism works fine for the first two signal states. 
To see that it works for the other states as well note 
that we can introduce a new description of the three level 
system with the superpositions of the upper levels as new 
excited states so that a± = \J\[2(g\ ± <r 2 ) are the new 
atomic operators. Then we find that the Hamiltonians, 
written with these new atomic operators and with the 



photonic operators in the base ( x ) , have the form H 



\(a + a+ + a + <j 



+ a!cr_ + a_erl) and H J( l 



(i) 
JC 



\(bl<T+ 



b+cr 1 +b_(T- +6_(tL). We see, the Hamiltonians are form 
invariant under the the above transformations, and it 



follows that this scheme performs the mapping of ( A2) as 
well. In general, this scheme is able to split one photon off 
any n-photon state with definite polarization, regardless 
what this polarization may be. 



APPENDIX B: pdc WITH FINITE COUPLING 
EFFICIENCY 

In this appendix I provide the straightforward derived 
formulas for the case where we use a parametric down- 
conversion source for the triggering of the signal, and the 
signal travelling to Bob couples only with a finite effi- 
ciency r/c into the fiber. All losses on Alice's side which 
cannot be accessed by Eve can be incorporated into this 
efficiency. Conditioned on a click in Alice's triggering 
detector we find the following results: 
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(B5) 
(B6) 



1 



f 



1 - (1 - rnr/cm) tanh 2 x 1 - (1 - Va) tanh 2 x 
1 



1 - (1 - r; A )(l - mncm) tanh x 

With these quantities we can, as before, determine the 
optimal gain for a given setup. 
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